Blizzard Sued Over Data Breach, Authenticator Sales

UPDATED–A group of customers is suing gaming giant Blizzard Entertainment in connection with a data breach in August that resulted in user email addresses, hashed passwords and other information being stolen by attackers. The suit claims that the company did not do enough to secure users’ accounts before the compromise and that the company now is forcing users to pay for a two-factor authentication system to increase the security on their accounts.

The data breach was discovered in early August and Blizzard, which makes a number of popular online games, notified customers within a few days. The company was not specific about the timing of the breach discovery, saying only that its security team had discovered the breach that week.

“At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed,” the company’s CEO, Mike Morhaime, said in a statement at the time.

“Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.”

The Blizzard data breach was the latest in a long line of security incidents affecting gaming companies, a list that most notably includes the PlayStation Network hack from last year, which turned into a massive PR nightmare for Sony and caused the company to shut the network down for weeks.

Now, a class-action suit has been filed against Blizzard, claiming that the company is forcing users to pay $6.40 for a two-factor authentication solution called the Authenticator, to help secure their accounts. Blizzard has said that the Authenticator is an optional measure that users can employ to lock down their accounts. The lead plaintiff in the lawsuit against Blizzard is Benjamin Bell, according to a report by Courthouse News.

Blizzard officials say that the lawsuit has no merit and that its security measures are effective and the purchase of the Authenticator is optional, not mandatory, for players.

“This suit is without merit and filled with patently false information, and we will vigorously defend ourselves through the appropriate legal channels. We want to reiterate that we take the security of our players’ data very seriously, and we’re fully committed to defending our network infrastructure. We also recognize that the cyber-threat landscape is always evolving, and we’re constantly working to track the latest developments and make improvements to our defenses,” the company said in a statement.

“The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromisedoutside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.”

Blizzard is the publisher of several popular online games, including World of Warcraft and Diablo III.

This article was updated on Nov. 12 to add Blizzard’s statement.

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

Suit probably won’t win, but it should. Blizzard has the worst security I’ve ever seen. The passwords aren’t case sensitive, for starters. The two-factor authentication outright doesn’t work with their /newest/ game. The authenticator also frequently needs to be reset; I had one for years, but the hackers were less of a bother. I don’t even want to know what on the back end they call security.

My account was hacked 3 times even though I am rediculously paranoid about people getting my account data. No repeat passwords, all more than 15 characters long, never gave it out to anyone for any reason, used the authenticator, etc. You do everything right as a user, and Blizzard repeatedly messes it up, then yells at you when you have to fix it.

As with the Sony PlayStation breach, this class action filed against Blizzard demonstrates the growing importance of protecting customer data, and the financial downside for insufficient data security. The two factor authentication option that Blizzard is offering customers is actually a plus; interesting the suit claims otherwise. However, locking down the accounts is only part of the equation. Customer data needs protection from the inside-out using access control, activity monitoring and encryption.

I wouldn’t put it all on Blizzard when they make it just as easy for there customers to change there account passwords . If hackers want to hack your system they’ll figure out how to do it. The only way to expect fool proof security is to take some of the responsibility yourself and change account passwords monthly or even on a weekly basis.

A modern smartphone is a full-blown working tool, an entertainment center and a tool to manage your personal finances. The more it can do, the more attractive it is to cybercriminals. The evidence for...

Cybercriminals go at great lengths to throw researchers off their scent, but just like in the "offline" crime world they make errors and leave peculiar traces behind, making them look a bit silly, whi...

By Maria Karnaukh Genius is often simple. Those ideas that ultimately reap millions of dollars are usually found hiding in plain view – unnoticed until their time is right. Here are several examples o...